3 Introduction Computer forensics labs across the United States and around the world are struggling to keep up with their ever-growing caseloads. The overwhelming increase in cases affects law enforcement, government agencies and large corporations alike. However, the issue is most often discussed within the context of criminal investigations, for obvious reasons. In an American Idol world you don t expect to see a lot of news coverage on digital investigations and computer forensics labs, so when this issue makes headlines, you know it is a very real, very dire problem. In January of 2009, the backlog in the FBI cybercrime labs made national news, largely because the backlog was seriously delaying the progress made on child pornography cases. It is a very sad fact that that the majority of criminal cases involving digital evidence are child pornography/exploitation cases. During that January 09 coverage, FBI Executive Assistant Director Stephen Tidwell was quoted as saying "The pervasiveness of the Internet has resulted in the dramatic growth of online sexual exploitation of children, resulting in a 2,000 percent increase in the number of cases opened since 1996." So, it s not only the number of delayed cases that make this an urgent matter. It is the nature of most of these cases that dramatically increases the pressure on computer forensics labs to implement more efficient policies and practices to overcome this issue. To make matters worse, the recent case, Melendez-Diaz v. Massachusetts, the Supreme Court found that lab reports prepared by forensic experts, if introduced into evidence, were subject to the 6 th Amendment Confrontation Clause. This means that if your computer forensics report is used as evidence in court, the defense can call you to the stand for cross-examination. Some analysts are expecting this new ruling to further increase the already significant backlog. In his dissent, Justice Anthony Kennedy stated, The Court threatens to disrupt forensic investigations across the country and to put prosecutions nationwide at risk of dismissal when a particular laboratory technician simply does not or cannot appear." The fear is that there a not enough examiners to handle the flood of cases crossing their desks and to still make time to appear in court to defend their findings. Large corporations are also experiencing the digital investigations bottleneck, and while the corporate cases may not always seem newsworthy, the impacts consistent investigation delays have on the bottom line and on employee/customer privacy are significant. This paper will take a look at the factors that contribute to these burdensome backlogs, and then it will review the technical requirements necessary to significantly reduce even overcome the digital bottleneck that plagues computer forensic personnel. Finally, it will illustrate how a solution meeting these technical requirements can be implemented into an lab existing infrastructure and discuss the associated benefits. 1 P age

4 Obstacles to Overcoming Caseload Backlogs A Justice Department audit of the FBI s cybercrime labs found that 353 requests were awaiting FBI analysis, and it took an average of 60 days for FBI personnel to examine evidence. Inspector General Glenn Fine said, "The processing time for the digital evidence in some cases could take up to nine months, which we concluded was too long." While the FBI was the unfortunate recipient of this bad press, the fact is virtually every single cybercrime lab throughout the country is overwhelmed. Likewise, the information security departments in almost every large corporation we ve met with tell us that they need more human resources and more hardware resources. There are several factors that must be addressed to overcome caseload backlog: Outdated Hardware For example, a state police agency applying for federal assistance in April of 2009, stated that of the 95 members of its statewide Computer Crime Taskforce, 35 were using mobile forensic computers that are more than six years old. This is a common complaint among state and local law enforcement agencies. In fact, even commercial organizations commonly face budgetary limitations with regard to their hardware resources. Understaffed Departments As of May 21, 2009, the Internet Crimes Against Children (ICAC) Program s 59 task forces throughout the country were awarded Recovery Act funds totaling $41.5 million. Among the 59 task forces, one of the primary uses for that money as stated in the ICAC memo is to hire new investigators/analysts or use that money to retain analysts who would otherwise have to be laid off. When it comes to commercial organizations, the primary goal is business continuity. The cogs must turn or production suffers. To many in the corporate arena, computer forensics implies that a cog, or cogs, must stop turning. Therefore, it is often the case that computer forensics is not at the top of the list when budget dollars are doled out. In fact, according to the 2008 CSI Computer Crime and Security Survey (surveying information security practitioners), only 41% of its respondents even use forensics tools to secure help secure their data. Lack of Training and Training Dollars Many local law enforcement agencies do not have a trained computer forensic analyst on staff and must send the seized data into a state or regional lab for analysis. Even departments and labs with computer forensic analysts on staff find it difficult to provide continuing education to their analysts, which can delay progress on a case. If there are only two seasoned analysts on staff, and several novices, the two pros will find themselves bogged down with analysis work. It s no wonder why most state and local applications for federal aid cite training as one of the top reasons for requesting the funds. Evidence Being Processed and Reviewed in Disparate Locations It is often the case that data seized at the scene of the crime or acquired from a computer at a remote office is actually processed at a central computer forensics lab. While the investigators, legal personnel and HR personnel responsible for reviewing that evidence are somewhere entirely different. This makes for an inefficient review process. 2 P age

5 The One Case One Analyst Paradigm Traditionally, one analyst will be assigned to a case, and that analyst sees the case through from processing to reporting. That model may have worked back in 1996, but with the influx of computer crime and the dramatic increase in computer-related evidence per case, computer forensics labs might take a lesson from Henry Ford. It is becoming more difficult for examiners to get through a single large case in a reasonable amount of time because data sets and the problem is continuing to get worse. Lack of Infrastructure In most traditional labs, each examiner stores all of the evidence and case information on his or her individual machine. This makes the backup and restoration of cases, evidence and reports a time consuming and critical part of the process that is often difficult to manage, if done at all. Even worse, cases often go on for years, and examiners must bring cases out of storage if and when they make it to court. It s interesting to note that in almost every case, agencies and commercial organizations cite their need for more human resources and more hardware resources. Yet, despite the cry for more, we rarely see a meaningful increase in those resources. The 2008 CSI survey shows that its respondents actually experienced a reduction in budget dollars for information security. Furthermore, it s a running joke among radio commentators and local newspapers no matter how many more tax dollars are applied to increasing law enforcement numbers, somehow there rarely seems to be a significant increase. If there is an increase in officers, you can be sure that layoffs are only a couple years away, usually about the time federal assistance dollars run out. So, given the relative certainty that resources will usually be scarce, why aren t law enforcement, government agencies and corporations looking for a technological solution that will actually amplify their existing resources? 3 P age

6 Amplifying Existing Resources Utilizing Enterprise and Collaborative Computing Principles In order to successfully overcome case backlog, organizations need to implement a technical foundation that maximizes the productivity of the resources they already have. If funding comes through and new resources are obtained, great. But until an organization is able to efficiently leverage existing resources, it will find itself trapped in the vicious cycle of too much work, too few people. In order to effectively amplify an organization s existing resources, the following capabilities are necessary. Distributed Processing Leverage both outdated and next generation hardware to significantly reduce processing time. Distributed processing allows organizations to effectively offset their ever-increasing datasets, as well as their lack of budget for new hardware. With distributed processing capabilities, an organization can turn any unused CPU into an asset that reduces the amount of time it takes to process large datasets. The organization now has a scalable resource, with which to increase or decrease processing power as needed. FIGURE 1: Distributed processing leverages outdated and next-gen hardware to reduce processing time. Utilize a distributed processing farm to dramatically reduce processing time. This is a great way to leverage legacy hardware. 4 P age

7 Simultaneous, Collaborative Analysis Computer forensic departments need to move away from the One Analyst One Case paradigm and take an assembly line approach to their investigations. By distributing the workload across examiners, each person is able to focus on a single area of expertise. Examiners can work in synchronicity with other examiners to get through cases much faster using the advanced capabilities of FTK. In addition, this solution allows organizations to coordinate analysts and other players in a case using a secure web interface. So, those who are geographically dispersed are able to easily contribute their expertise without delay. Web Review and Analysis Capabilities There are many players in an investigation. They are not all located in the lab and are not always forensic experts. It is often the case that key players in these investigations are working in disparate locations, and this can easily delay the conclusion of a case. A secure web interface provides a quick and easy way for non-technical personnel to review and comment on the evidence as the analysts identify it. Players in the investigations, such as lawyers, human resources personnel and representatives from the DA s office are able to review the data in any easy to consume format as soon as it is available from any location, which saves a great deal of time. With custom data views reviewers are given permission by the case manager to review specific areas of cases. FIGURE 2: Analysts can collaborate in the lab using FTK, and with AD Lab, geographically dispersed players in the investigation can review and comment on data using a secure web interface. Non-technical resources and outside analysts can review and comment on data via the secure web interface. Analysts can collaborate in real time via FTK. 5 P age

8 Centralized Case Management Organizations need a better way to manage case work and to manage analysts case assignments and tasks. This capability allows a designated manager to rapidly assign cases, resources, tasks and case permissions to analysts. The manager can view the status of assigned tasks and has the flexibility to update or reassign tasks and resources as needed to orchestrate the most efficient completion of cases. The Ability to Control Access and Activity It s important when orchestrating synchronous collaboration among multiple analysts that organizations are able to control which data each analyst can access, which tasks he or she can perform, and to ensure their accountability. For example, if two analysts are assigned to a case one a senior member of the team, and the other still in training the case manager can tailor their individual roles and permissions to suit their skill levels or clearance levels. The senior analyst can be given permission to perform more advanced operations, while the junior analyst is assigned to a particular set of data, such as graphics. With a more advanced lab solution, the seasoned investigator can be given permission to view specific data sets that might be considered confidential or classified, while the less experienced analyst is only allowed to work with less sensitive content. FIGURE 3: A designated Manager can assign cases, tasks and resources to analysts and monitor their progress to ensure efficient collaboration. Cases and analysts can be managed from a central management console. 6 P age

9 Centralized Investigative Infrastructure Using a Lab platform, organizations can centralize their investigative infrastructure. Instead of each examiner doing all the work on his or her individual stand-alone machine, each examiner can leverage a shared infrastructure where all of the case data and evidence are stored in a centralized and controlled manner. Access to each case is still controlled by the lab manager or examiner in charge of a specific case, but the actual hardware infrastructure, where all the work takes place, is centralized. (Note centralized database and distributed processing farm in figures 1 3.The centralized Oracle infrastructure can be comprised of one or more databases.) Lab Technology: Providing a Permanent Solution to an Ever-growing Problem Human resources come and go, hardware resources become outdated, and the funding to maintain both is never a sure thing. However, implementing the right lab technology is a permanent solution that will streamline the entire process and speed up nearly every aspect of the investigation. AccessData (AD) has engineered lab technology that enables computer forensics labs to implement a digital assembly line of sorts. Based on the principles of enterprise computing and collaborative computing, this solution allows analysts to work together seamlessly not just distributing data processing, but actually distributing their labor, while sharing a centralized infrastructure (database, storage, evidence server). Processing the data can be as fast as you want it to be with unlimited distributed processing capabilities. Analytical operations are compartmentalized by analyst, so an individual examiner doesn t need to shift his or her mindset from to registry to RAM dumps or have to worry about moving the data around. Each examiner can focus on one or two areas of expertise and other analysts working on the same case are able to see those findings in real-time as they are bookmarked, labeled and commented on. Having the abilities to divide workload and to share information with each other and non-technical counterparts will speed the analysis, the review, and the communications necessary to bring a case to its completion. However, while this lab solution enables real-time collaboration, a single analyst is still able to work an entire case from beginning to end on his or her machine. Each analyst has an investigative workstation that shares a single Oracle infrastructure, comprised of one or more databases. Investigator workstations can also share a distributed processing farm. An analyst is able to utilize this centralized infrastructure, and if he or she desires, can give permission to another analyst or non-technical player to review the findings and share expertise. AccessData provides two levels of its lab technology, Lab Lite and AD Lab. There are two capabilities differentiating the two solutions: Case-level Permissions vs. Data-level Permissions While AD Lab Lite allows the forensic analysts to be assigned to or restricted from viewing cases, the AD Lab solution allows case managers to assign or restrict access at the data level. For example, if the information in question or suspects involved were considered extremely confidential, the case manager could restrict a junior analyst s access to and documents of any kind. However, the manager might want to utilize that junior resource to speed the investigation along. For example, the manager could restrict the junior analyst s access to include only log files, assigning that person to create a timeline over the last month showing each time an instant messenger application had been launched. This more granular 7 P age

10 security provision is of particular benefit to large corporations or government agencies handling large caseloads with a great deal of confidential or classified information. Web Review and Analysis As discussed earlier, the web review capability is the easiest way to share information and leverage the abilities of non-technical players in an investigation or computer forensic experts located outside the lab. This functionality is only available with AD Lab, which is designed to handle large caseloads for organizations that have a number of different participants in the investigative process that should be working together. For example, a computer forensic examiner working in New York wants HR and Legal in Los Angeles to review the results of a policy violation investigation quickly and in an easy to consume format. These nontechnical participants can log in to the web interface and only see the information the examiner wants them to see. Additionally, large labs dealing with massive datasets need many analysts of varying skill levels to work together simultaneously, in order to efficiently tackle their caseloads. The secure web review interface of AD Lab enables those analysts to collaborate with ease. The following illustrates the functionality available in each of AccessData s Lab solutions: LAB FUNCTIONALITY LAB LITE AD LAB DISTRIBUTED PROCESSING expanded expanded INVESTIGATOR COLLABORATION via FTK unlimited unlimited CENTRALIZED CASE AND TASK MANAGEMENT yes yes ROLE-BASED PERMISSIONS TO CONTROL ACCESS AND ACTIVITY case level data level CENTRALIZED DATABASE INFRASTRUCTURE no yes WEB REVIEW AND ANALYSIS no unlimited Benefits By utilizing an assembly line, division of labor approach, the investigation process is streamlined and cases can be brought to completion more efficiently. Control who can see which information in a given case or across cases. Examiners can see each other s results in real time. Non-technical users can easily support the investigative process. Advanced users can work alongside non-technical resources. Leverage a distributed processing farm to greatly reduce processing time. Utilize outdated hardware for distributed processing. Take an enterprise approach to controlling data with a centralized infrastructure, instead of each examiner storing data on his or her individual machine. 8 P age

11 Creating a collaborative environment with a shared, centralized infrastructure amplifies existing resources, allowing analysts of all skill levels to work more effectively. Detailed Infrastructure Diagrams: Lab Lite and AccessData Lab FIGURE 4: Distributed examiner and database infrastructure, using Lab Lite Workflow Beth logs in and creates a case on her local database. She processes the evidence or obtains volatile data. Beth needs Jack to look at that she processed in her NY office. Beth gives Jack rights to the case. Jack logs in. Jack selects Beth s database from the database selection panel. He can now see her list of cases. Jack selects the case and now sees all the work of Beth did and can perform additional analysis and bookmarking. NOTE: Because it is a database on the back end, any bookmarks/labels are stored. This also means that multiple examiners can look at the same case at the same time without stumbling over each other. 9 P age

12 FIGURE 5: Shared database infrastructure, using AccessData Lab Summary As stated earlier, until an organization is able to efficiently leverage existing resources, it will find itself trapped in the vicious cycle of too much work, too few people. Implementing a solution that amplifies existing resources by streamlining the investigative process and getting the most out of an organization s hardware is a permanent solution. AccessData s lab solutions are scalable, allowing an organization to build a solution that fits its caseload and resources, then expand as needed. Division of labor, distributed processing, a centralized infrastructure and timely sharing of data are the keys to overcoming the backlog faced by organizations of all kinds. The answer is not simply more resources. The answer is efficiently utilizing the resources you have. 10 P age

Next Generation CRM for Multi-Channel Success EBOOK Next Generation CRM for Multi-Channel Success Today s insurance market is extremely volatile. Customer loyalty is at an all-time low as customers can

Introducing a New Era in Digital Forensic Investigations Investigators today need much more than a disparate bag of tools to get the job done. Case loads and case complexity are increasing at an explosive

E- Discovery in Criminal Law ! An e-discovery Solution for the Criminal Context Criminal lawyers often lack formal procedures to guide them through preservation, collection and analysis of electronically

the top 5 best practices for FIELD SERVICE MOBILITY ebook the top 5 best practices for FIELD SERVICE MOBILITY ebook Table of Contents 1 Create a Secure, Seamless User Experience 2 Control Mobile Device

A White Paper from AccessData Group The Future of Mobile E-Discovery Contents 1. The changing landscape of e-discovery 2. New expectations in the courtroom 3. Mobile discovery within corporations 4. MPE+

A White Paper from AccessData Group The Future of Mobile E-Discovery Contents 1. The changing landscape of e-discovery 2. New expectations in the courtroom 3. Mobile discovery within corporations 4. MPE+

GOVERNMENT Helping governments transform public service delivery with efficient, citizen-centric solutions The private sector has revolutionized customer service during the last five years. Customers now

Technology Evaluation Centers Executive Summary To date, manufacturers have been slow to embrace cloud computing. But the proven success of cloud-based solutions, coupled with the promise of a less expensive

WHITE PAPER A Practical Guide to Choosing the Right Clouds Option and Storage Service Levels www.earthlink.com 1 Our job in IT is to provide technology frameworks and an operating model to facilitate but

Module 1 Study Guide Introduction to OSA Welcome to your Study Guide. This document is supplementary to the information available to you online, and should be used in conjunction with the videos, quizzes

The Essential Guide for Protecting Your Legal Practice From IT Downtime www.axcient.com Introduction: Technology in the Legal Practice In the professional services industry, the key deliverable of a project

juggling is easier with remote access power at your fingertips keeping balls in the air schools Whether it s elementary, middle or high school, a director of technology or technical team will spend a typical

Computer Forensics Preparation This lesson covers Chapters 1 and 2 in Computer Forensics JumpStart, Second Edition. OBJECTIVES When you complete this lesson, you ll be able to Discuss computer forensics

Top 10 Ways Operational Software Can Boost a Contractor s Bottom Line Top 10 Ways Operational Software Can Boost a Contractor s Bottom Line Switching to a new operational software solution is a big step

Streamlining Communications at Medical Facilities Across the Globe 2015 Cleo. All rights reserved. Cleo is a trademark of Cleo Communications US, LLC. All other marks are the property of their respective

Which Database Will Serve Your Needs? National EMSC Data Analysis Resource Center Central to any EMS, public health, or large healthcare organization is the collection, storage, retrieval, and analysis

An Akamai White Paper Plan vs. Panic: Making a DDoS Mitigation Playbook Part of Your Incident Response Plan Introduction When a huge Distributed Denial-of-Service (DDoS) attack took down the Website of

Mapping Your Path to the Cloud A Guide to Getting your Dental Practice Set to Transition to Cloud-Based Practice Management Software. Table of Contents Why the Cloud? Mapping Your Path to the Cloud...4

Overcoming Eight Common Power Management Challenges How intelligent, logical and complete power management solutions provide relief for some of today s worst power-related headaches By Jim Tessier Product

BACKUP ESSENTIALS FOR PROTECTING YOUR DATA AND YOUR BUSINESS Disasters happen. Don t wait until it s too late. OVERVIEW It s inevitable. At some point, your business will experience data loss. It could

LANDesk Service Desk Outstanding IT Service Management Made Easy Deliver Outstanding IT Services to Employees, Citizens and Customers LANDesk Service Desk enables organizations to deliver outstanding IT

Cloud Infrastructure Security It s Time to Rethink Your Strategy Cloud Infrastructure Security It s Time to Rethink Your Strategy Infrastructure security used to be easier. Now, it is dramatically more

The CIO s Dream: A Cloud Platform With Lower Cost, More Agility and Better Performance A publication by: Introduction The chief information officer or chief technology officer carries the weight of the

Grand Challenges Making Drill Down Analysis of the Economy a Reality By John Haltiwanger The vision Here is the vision. A social scientist or policy analyst (denoted analyst for short hereafter) is investigating

Solution Brief ScaleArc for SQL Server Overview Organizations around the world depend on SQL Server for their revenuegenerating, customer-facing applications, running their most business-critical operations

The Best of Cloud and On-premises Storage www.nasuni.com Introduction Organizations rely on corporate data for everything from product design to order processing; it is their most valuable asset. Today

Search Powered Business Analytics, the smartest way to discover your data A Shift in the World of Business Intelligence Comparison of CXAIR to Traditional BI Technologies A CXAIR White Paper www.connexica.com

White Paper LIVEVAULT Top 10 Reasons for Using Online Server Backup and Recovery Introduction Backup of vital company information is critical to a company s survival, no matter what size the company. Recent

Medicaid is telling me to include an NDC on my outpatient claims. How can I do that accurately? Who can I trust to really solve my 340B and Own Use compliance issues? Am I really maximizing the financial

Cloud Services Catalog with Epsilon Modern IT enterprises face several challenges while building a service catalog for their data center. Provisioning with a cloud management platform solves some of these

Inside the Cloud: Your Key Questions Answered Introduction As we discussed in our previous white paper, your peers are turning to the cloud to help them meet challenges such as: Reduced budget and staff

A White Paper from AccessData Group Cerberus Malware Triage and Analysis What is Cerberus? Cerberus is the first-ever automated reverse engineering tool designed to show a security analyst precisely what

Modernizing Case Management in the Public Sector A Clear and Present Reality Today, many federal, state, and local agencies throughout the United States have installed some type of case management system.

ADVISORY Top 10 Reasons for Using Disk-based Online Server Backup and Recovery INTRODUCTION Backup of vital company information is critical to a company s survival, no matter what size the company. Recent

National Association of State Personnel Executives 859.244.8182 lscott@csg.org www.naspe.net BRINGING MODERN RECRUITING SYSTEMS TO STATE GOVERNMENTS INTRODUCTION State governments manage a large workforce

PEOPLESOFT HELPDESK FOR HUMAN RESOURCES Today s Human Resource organizations are faced with the challenge of providing rapid and high quality customer service to their workforce while containing or reducing

White Paper ClearSCADA Architecture ClearSCADA has 3 major components or software applications; the ClearSCADA server, a windows client known as, and a web client known as Webx. The software is designed

GET CLOUD EMPOWERED. SEE HOW THE CLOUD CAN TRANSFORM YOUR BUSINESS. Cloud computing is as much a paradigm shift in data center and IT management as it is a culmination of IT s capacity to drive business

A SMART CHOICE FOR LAW ENFORCEMENT TODAY Today s Law Enforcement agencies are facing increasing documentation demands in a time when shrinking budgets make it necessary to reduce clerical staff. This results

Manufacturers Need More Than Just Backup... But they don t need to spend more! axcient.com Introduction Manufacturers need to keep their businesses up and running more than ever now. Automating work processes

Is it okay to destroy the paper source records? Are there any exceptions? Strategies for Developing a Document Imaging & Electronic Retention Program How do we ensure the program will stand up in court?

Case study: How a global bank is overcoming technical, business and regulatory barriers to use Hadoop for mission-critical applications Background The bank operates on a global scale, with widely distributed

Author: Mike Herrmann With organizations looking for new ways to cut costs and increase productivity, the use of cloud computing has grown. The most common form of cloud computing is for vendors making

Veritas Backup Exec : Protecting Microsoft SharePoint Who should read this paper Technical White Papers are designed to introduce IT professionals to key technologies and technical concepts that are associated

See all, manage all is the new mantra at the corporate workplace today. 1) Do you want to schedule backups, software updates using just one consistent automation platform? 2) Do you want a product that

BACKUP IS DEAD: Introducing the Data Protection Lifecycle, a new paradigm for data protection and recovery Despite decades of research and development into backup and data protection, enterprise customers

A Comprehensive Plan to Simplify Endpoint Encryption Managing SEDs, BitLocker, and FileVault Together from the Cloud Executive Summary Encryption is an essential component of any information security plan.

An Overview of Cybersecurity and Cybercrime in Taiwan I. Introduction To strengthen Taiwan's capability to deal with information and communication security issues, the National Information and Communication